I was asked to gaze into my crystal ball and write a piece around the Cyber Security challenges for 2017. Here is the article as it appeared on the ITProPortal website:
If there’s one thing you can say with certainty about cyber-security in 2017, it’s that many companies are going to fail because they are simply not doing the right thing. Fundamental flaws still exist.
Image source: Shutterstock/jijomathaidesigners
It's about the business
Until the technical people lift their heads up and see that security and business are different sides of the same coin, we will inevitably see more damaging attacks. When security people learn to speak in the language of business they will begin to understand just where in the organisation they need to apply their expertise.
This might be smart configuration options, cautious security policies, vigilance and a willingness to read server logs like some people read the newspaper in the morning to identify targeted attacks.
Of course, this won’t stem the malware tsunami but it will help defend against it. Leading the malware charge in 2017 will be ransomware. Like 2016 it will be more of the same, with an important and fundamental exception; ransomware will be more sophisticated.
Advanced attack vectors
Encryption keys are becoming more complex while ransomware attack vectors are becoming alarmingly advanced. Ransomware can mount previously mapped drives, encrypt them, and then unmount them, reaching deeper into the network.
However, the efficiency of ransomware as a tool for fraud will also be slowly undermined. One misconception about ransomware is that once the ransom is paid, the victim receives the keys to unlock their files. Increasingly we are seeing instances of this not happening. The fraudsters are simply taking the money and running.
Criminals dumbing down
As ransomware is now available as-a-service, it is reaching down into the lower levels of the criminal underworld and organised crime networks. The type of villain who uses the ‘service’ might have previously been involved with keeping crooked books for instance.
As such they can’t be bothered to send decryption keys which of course will erode the value of ransomware as victims increasingly refuse to pay the ransom.
Another major area of concern is the security of IoT devices. It’s fair to say that the existing state of device security isn’t great. Some devices are managed by web consoles that don’t even have encryption. Some devices have passwords hard coded into them that you can’t change. It would be good to see manufacturers take some responsibility but this is unlikely as they operate with tight margins and are unlikely to take on tasks that eat into thin profits.
If we’re lucky, we will see the emergence of pressure groups consisting of industry vendors and third parties who are no longer willing to sit back and watch major hacks unfold.
Questioning machine learning
Another area to keep an eye on is machine learning. As with any new technology it’s usually proclaimed with a loud fanfare and over exaggerated claims that often fall just short of guaranteeing freedom for all and world peace. In terms of security, machine learning does promise a lot of potential but when you drill down some serious questions need to be asked.
In 2017 we’re likely to see these questions put forward with some force, as it becomes apparent that machine learning in the security realm has flaws. For instance, how are the machines learning, are millions of good and bad results being fed into the machine to ensure accurate analytics and what kind of input is coming from security labs and research teams?
These are important questions and with the advent of next-generation endpoints, such as mobile devices and laptops designed to respond to machine learning security in depth is vital to ensure success. If machine learning vendors can’t answer these questions with confidence, then you can expect to see machine learning and security take a dive.
Shock of GDPR
An area where you can expect to see panic break out is the European Union’s General Data Protection Regulations or GDPR as it’s more commonly known. At the moment UK organisations are displaying naivety towards GDPR which comes into effect in May 2018. Many are hiding behind Brexit and taking the view that the UK won’t be in the EU come May 2018 so GDPR won’t affect them. However, if a business operates in Europe, it will.
To meet GDPR requirements, measures need to be put in place in 2017. Many companies have already finalised budget for 2017 but haven’t made any provision for GDPR. With no budget provision, there’s going to be an awful lot of flapping when companies realise that it’s nowhere near compliance ready.
Big fines, big panic
GDPR also reaches up to the board and any data breaches can result in enormous fines of up to 4 per cent of revenue. This can and will translate in some cases, to fines that run into millions of pounds. Are executive directors aware that if they show negligence in protecting customer data they’re going to be hit really hard?
In summary, it would be uplifting to say that we’re not going to see any more major breaches, that fundamental flaws will be addressed, that new technologies are going to change the security landscape for the better and everyone is set for GDPR. In reality, while we will see some positives we also need to prepare our businesses for more breaches and more hacks.